Probably a good idea to cc: this to the kernel list :-) I suspect it's intentional but with the planned changes for iptables etc to be backed by bpf in the upstream kernel sometime in the future it's likely going to need to be reviewed.
Peter On Tue, Aug 7, 2018 at 10:25 PM, Timothée Ravier <[email protected]> wrote: > Booting Fedora with Secure Boot enabled will result in Lockdown being enabled > at boot time. This will completly disable the BPF system call for all users > [1][2]. > > Unfortunately, this breaks the IPAddressAllow & IPAddressDeny systemd feature > [3][4][5]. > > I don't have a solution for this, but as far as I understand, this will also > prevent other BPF use-cases (for example: Cilium on Fedora CoreOS). > > [1] > https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525 > [2] > https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&id=0eb0d0851747787f7182b3e9d0d38edb5925a678 > [3] https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c > [4] https://github.com/systemd/systemd/blob/master/NEWS#L1192 > [5] > https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6 > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/ZMEWJMQH6DDMV3AZ4IG7LOYMMIETCH42/ _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/RUWDEDQHS5I47YBPEZVEKXNU2BAX2SLU/
